[PATCH] Send 407 on url_rewrite_access/storeurl_access

This patch apply to Squid 2.7.STABLE4.

If we use a proxy_auth acl on {storeurl,url_rewrite}_access and the user
isn't authenticated previously, send 407.

regards,
        Diego

diff --git a/src/client_side.c b/src/client_side.c
index 23c4274..4f75ea0 100644
--- a/src/client_side.c
+++ b/src/client_side.c
@@ -448,19 +448,71 @@ clientFinishRewriteStuff(clientHttpRequest * http)
 
 }
 
-static void
-clientAccessCheckDone(int answer, void *data)
+void
+clientSendErrorReply(clientHttpRequest * http, int answer)
 {
- clientHttpRequest *http = data;
     err_type page_id;
     http_status status;
     ErrorState *err = NULL;
     char *proxy_auth_msg = NULL;
+
+ proxy_auth_msg = authenticateAuthUserRequestMessage(http->conn->auth_user_request ? http->conn->auth_user_request : http->request->auth_user_request);
+
+ int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName)) && !http->request->flags.transparent;
+
+ debug(33, 5) ("Access Denied: %s\n", http->uri);
+ debug(33, 5) ("AclMatchedName = %s\n",
+ AclMatchedName ? AclMatchedName : "<null>");
+ debug(33, 5) ("Proxy Auth Message = %s\n",
+ proxy_auth_msg ? proxy_auth_msg : "<null>");
+
+ /*
+ * NOTE: get page_id here, based on AclMatchedName because
+ * if USE_DELAY_POOLS is enabled, then AclMatchedName gets
+ * clobbered in the clientCreateStoreEntry() call
+ * just below. Pedro Ribeiro <pribeiro_at_isel.pt>
+ */
+ page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_REQ_PROXY_AUTH);
+ http->log_type = LOG_TCP_DENIED;
+ http->entry = clientCreateStoreEntry(http, http->request->method,
+ null_request_flags);
+ if (require_auth) {
+ if (!http->flags.accel) {
+ /* Proxy authorisation needed */
+ status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
+ } else {
+ /* WWW authorisation needed */
+ status = HTTP_UNAUTHORIZED;
+ }
+ if (page_id == ERR_NONE)
+ page_id = ERR_CACHE_ACCESS_DENIED;
+ } else {
+ status = HTTP_FORBIDDEN;
+ if (page_id == ERR_NONE)
+ page_id = ERR_ACCESS_DENIED;
+ }
+ err = errorCon(page_id, status, http->orig_request);
+ if (http->conn->auth_user_request)
+ err->auth_user_request = http->conn->auth_user_request;
+ else if (http->request->auth_user_request)
+ err->auth_user_request = http->request->auth_user_request;
+ /* lock for the error state */
+ if (err->auth_user_request)
+ authenticateAuthUserRequestLock(err->auth_user_request);
+ err->callback_data = NULL;
+ errorAppendEntry(http->entry, err);
+
+}
+
+static void
+clientAccessCheckDone(int answer, void *data)
+{
+ clientHttpRequest *http = data;
+
     debug(33, 2) ("The request %s %s is %s, because it matched '%s'\n",
         RequestMethods[http->request->method].str, http->uri,
         answer == ACCESS_ALLOWED ? "ALLOWED" : "DENIED",
         AclMatchedName ? AclMatchedName : "NO ACL's");
- proxy_auth_msg = authenticateAuthUserRequestMessage(http->conn->auth_user_request ? http->conn->auth_user_request : http->request->auth_user_request);
     http->acl_checklist = NULL;
     if (answer == ACCESS_ALLOWED) {
         safe_free(http->uri);
@@ -469,47 +521,7 @@ clientAccessCheckDone(int answer, void *data)
         http->redirect_state = REDIRECT_PENDING;
         clientRedirectStart(http);
     } else {
- int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName)) && !http->request->flags.transparent;
- debug(33, 5) ("Access Denied: %s\n", http->uri);
- debug(33, 5) ("AclMatchedName = %s\n",
- AclMatchedName ? AclMatchedName : "<null>");
- debug(33, 5) ("Proxy Auth Message = %s\n",
- proxy_auth_msg ? proxy_auth_msg : "<null>");
- /*
- * NOTE: get page_id here, based on AclMatchedName because
- * if USE_DELAY_POOLS is enabled, then AclMatchedName gets
- * clobbered in the clientCreateStoreEntry() call
- * just below. Pedro Ribeiro <pribeiro_at_isel.pt>
- */
- page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_REQ_PROXY_AUTH);
- http->log_type = LOG_TCP_DENIED;
- http->entry = clientCreateStoreEntry(http, http->request->method,
- null_request_flags);
- if (require_auth) {
- if (!http->flags.accel) {
- /* Proxy authorisation needed */
- status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
- } else {
- /* WWW authorisation needed */
- status = HTTP_UNAUTHORIZED;
- }
- if (page_id == ERR_NONE)
- page_id = ERR_CACHE_ACCESS_DENIED;
- } else {
- status = HTTP_FORBIDDEN;
- if (page_id == ERR_NONE)
- page_id = ERR_ACCESS_DENIED;
- }
- err = errorCon(page_id, status, http->orig_request);
- if (http->conn->auth_user_request)
- err->auth_user_request = http->conn->auth_user_request;
- else if (http->request->auth_user_request)
- err->auth_user_request = http->request->auth_user_request;
- /* lock for the error state */
- if (err->auth_user_request)
- authenticateAuthUserRequestLock(err->auth_user_request);
- err->callback_data = NULL;
- errorAppendEntry(http->entry, err);
+ clientSendErrorReply(http, answer);
     }
 }
 
@@ -517,61 +529,17 @@ static void
 clientAccessCheckDone2(int answer, void *data)
 {
     clientHttpRequest *http = data;
- err_type page_id;
- http_status status;
- ErrorState *err = NULL;
- char *proxy_auth_msg = NULL;
+
     debug(33, 2) ("The request %s %s is %s, because it matched '%s'\n",
         RequestMethods[http->request->method].str, http->uri,
         answer == ACCESS_ALLOWED ? "ALLOWED" : "DENIED",
         AclMatchedName ? AclMatchedName : "NO ACL's");
- proxy_auth_msg = authenticateAuthUserRequestMessage(http->conn->auth_user_request ? http->conn->auth_user_request : http->request->auth_user_request);
+
     http->acl_checklist = NULL;
     if (answer == ACCESS_ALLOWED) {
         clientCheckNoCache(http);
     } else {
- int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName));
- debug(33, 5) ("Access Denied: %s\n", http->uri);
- debug(33, 5) ("AclMatchedName = %s\n",
- AclMatchedName ? AclMatchedName : "<null>");
- if (require_auth)
- debug(33, 5) ("Proxy Auth Message = %s\n",
- proxy_auth_msg ? proxy_auth_msg : "<null>");
- /*
- * NOTE: get page_id here, based on AclMatchedName because
- * if USE_DELAY_POOLS is enabled, then AclMatchedName gets
- * clobbered in the clientCreateStoreEntry() call
- * just below. Pedro Ribeiro <pribeiro_at_isel.pt>
- */
- page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_REQ_PROXY_AUTH);
- http->log_type = LOG_TCP_DENIED;
- http->entry = clientCreateStoreEntry(http, http->request->method,
- null_request_flags);
- if (require_auth) {
- if (!http->flags.accel) {
- /* Proxy authorisation needed */
- status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
- } else {
- /* WWW authorisation needed */
- status = HTTP_UNAUTHORIZED;
- }
- if (page_id == ERR_NONE)
- page_id = ERR_CACHE_ACCESS_DENIED;
- } else {
- status = HTTP_FORBIDDEN;
- if (page_id == ERR_NONE)
- page_id = ERR_ACCESS_DENIED;
- }
- err = errorCon(page_id, status, http->orig_request);
- if (http->conn->auth_user_request)
- err->auth_user_request = http->conn->auth_user_request;
- else if (http->request->auth_user_request)
- err->auth_user_request = http->request->auth_user_request;
- /* lock for the error state */
- if (err->auth_user_request)
- authenticateAuthUserRequestLock(err->auth_user_request);
- err->callback_data = NULL;
- errorAppendEntry(http->entry, err);
+ clientSendErrorReply(http, answer);
     }
 }
 
diff --git a/src/client_side_rewrite.c b/src/client_side_rewrite.c
index 14ad961..8238d89 100644
--- a/src/client_side_rewrite.c
+++ b/src/client_side_rewrite.c
@@ -45,6 +45,8 @@ clientRedirectAccessCheckDone(int answer, void *data)
     http->acl_checklist = NULL;
     if (answer == ACCESS_ALLOWED)
         redirectStart(http, clientRedirectDone, http);
+ else if (answer == ACCESS_REQ_PROXY_AUTH)
+ clientSendErrorReply(data, answer);
     else
         clientRedirectDone(http, NULL);
 }
diff --git a/src/client_side_storeurl_rewrite.c b/src/client_side_storeurl_rewrite.c
index 938a254..9f08a25 100644
--- a/src/client_side_storeurl_rewrite.c
+++ b/src/client_side_storeurl_rewrite.c
@@ -45,6 +45,8 @@ clientStoreURLRewriteAccessCheckDone(int answer, void *data)
     http->acl_checklist = NULL;
     if (answer == ACCESS_ALLOWED)
         storeurlStart(http, clientStoreURLRewriteDone, http);
+ else if (answer == ACCESS_REQ_PROXY_AUTH)
+ clientSendErrorReply(data, answer);
     else
         clientStoreURLRewriteDone(http, NULL);
 }
diff --git a/src/protos.h b/src/protos.h
index 007498e..c992bea 100644
--- a/src/protos.h
+++ b/src/protos.h
@@ -1484,6 +1484,7 @@ extern aclCheck_t *clientAclChecklistCreate(const acl_access * acl, const client
 extern void clientInterpretRequestHeaders(clientHttpRequest * http);
 extern void clientAccessCheck2(void *data);
 extern void clientFinishRewriteStuff(clientHttpRequest * http);
+extern void clientSendErrorReply(clientHttpRequest * http, int answer);
 
 
 /* client_side_redirect.c */
Received on Sun Sep 07 2008 - 00:55:15 MDT